ICO: “Consent is one way to comply with the GDPR, but it’s not the only way”

The Information Commissioner’s Office (ICO), in the latest of a series of blogs about GDPR ‘myths’, has discussed the issue of getting fresh consent from customers to comply with the GDPR.

Steve Wood, ICO’s deputy commissioner for policy said, “You do not need to automatically refresh all existing consents in preparation for the new law. But the GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent.”

“Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent. It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act”, Wood added.

The ICO advises companies to think about whether they actually need to refresh consent before they send consent email.

Wood said, “Organisations risk non-compliance if their emails are difficult to follow and key information is lost at the end of long text – people must clearly understand what they are consenting to.”

Wood added, “Being open and transparent is a key component of the GDPR and the ICO has provided guidance on informing people about how their data is used.

Before sending emails consider what the most effective way is to reach your customer – it may not be email. Consider a data protection by design approach – where can this information be embedded to have the best impact.”

ICO research found that a fifth of the UK public has trust and confidence in companies and organisations storing its personal information.

Wood said, “Consent is one way to comply with the GDPR, but it’s not the only way. Scaremongering about consent still persists but the headlines often lack context or understanding about all the different lawful bases organisations could use for processing personal information under the GDPR.”

He advises that “for processing to be lawful under the GDPR, you need to identify a lawful basis before you start. There are six lawful bases available for you to choose from. No single basis is ’better’ or more important than the others – which one is most appropriate will depend on your purpose and relationship with the individual.

You know your organisation best and the purposes that you are processing personal data for. But there is help available – we have lots of guidance and resources on our website, including our lawful basis interactive guidance tool that gives tailored guidance on which lawful basis is likely to be most appropriate for your processing activities.”